mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(ops/modules): Move journaldriver configuration into module

Browse source 
This makes the journaldriver configuration machine-independent.
The secret is loaded from agenix instead of being persisted on disk.

Change-Id: I592ae7f5726fcb7f37a406f69dcf5ac498eeb1b7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5302
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
This commit is contained in:
Vincent Ambo 2022-02-17 13:36:57 +03:00 committed by tazjin
parent c72abe04f2
commit 536e01e967
2 changed files with 27 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
ops/machines/whitby/default.nix
View file

@ -13,6 +13,7 @@ in
"${depot.path}/ops/modules/gerrit-queue.nix"
"${depot.path}/ops/modules/irccat.nix"
"${depot.path}/ops/modules/josh.nix"
"${depot.path}/ops/modules/journaldriver.nix"
"${depot.path}/ops/modules/known-hosts.nix"
"${depot.path}/ops/modules/monorepo-gerrit.nix"
"${depot.path}/ops/modules/nixery.nix"
@ -481,13 +482,6 @@ in
ops.deploy-whitby
]);
services.journaldriver = {
enable = true;
googleCloudProject = "tvl-fyi";
logStream = "whitby";
applicationCredentials = "/var/lib/journaldriver/key.json";
};
# Required for prometheus to be able to scrape stats
services.nginx.statusPage = true;

26
ops/modules/journaldriver.nix Normal file
View file

@ -0,0 +1,26 @@
# Configures journaldriver to forward to the tvl-fyi GCP project from
# TVL machines.
{ config, depot, lib, pkgs, ... }:
{
imports = [
(depot.third_party.agenix.src + "/modules/age.nix")
];
age.secrets.journaldriver.file = depot.ops.secrets."journaldriver.age";
services.journaldriver = {
enable = true;
googleCloudProject = "tvl-fyi";
logStream = config.networking.hostName;
};
# Override the systemd service defined in the nixpkgs module to use
# the credentials provided by agenix.
systemd.services.journaldriver = {
serviceConfig = {
LoadCredential = "journaldriver.json:/run/agenix/journaldriver";
ExecStart = lib.mkForce "${pkgs.coreutils}/bin/env GOOGLE_APPLICATION_CREDENTIALS=\"\${CREDENTIALS_DIRECTORY}/journaldriver.json\" ${depot.ops.journaldriver}/bin/journaldriver";
};
};
}